Conversation

Wow, it's really happening! Thanks Microsoft. Your move now, Google. 😈

Quote Tweet

Microsoft is rolling out outbound SMTP #DANE in Microsoft 365 Exchange Online and we seen them querying for TLSA records already m365admin.handsontek.net/upcoming-relea stats.sidnlabs.nl/en/mail.html#t

Replying to

>Thanks Microsoft On Rich's account? Wow, Hell must've _really_ frozen over :o...

Replying to

Normalizing the mechanism to let mail recipient sites make MITM impossible is huge. Europe is on board but US has been nasty holdout with Google refusing to support the standard & others not taking action. MS doing it is game-changing.

Replying to

Now if only Microsoft would let me SEND email to their domains and take me off their GD blacklist. I have DKIM set up properly, what more do you want?!

Replying to

and

You should also make sure you have a DMARC p=reject policy or mail without a valid DKIM signature aligned with the FROM address won't actually be rejected. It's likely that none of that is related to why you're blacklisted by them though. They have multiple different blacklists.

Replying to

and

You can make an account at dersupport.olc.protection.outlook.com/snds/ to check the Outlook SNDS IP blacklist status. It's only for IPv4 since they still don't support IPv6 likely for spam filtering reasons. It's only used for their traditional mail services and Outlook 365 uses a separate approach.

Replying to

and

Their IP blacklist is permanent and never expires. It doesn't matter if the last time the IP sent any spam or even mail of any kind was 15 years ago. We tried to use their appeal process for the GrapheneOS mail server multiple times and rarely even got the automated response.

Replying to

and

Never got in touch with any person there despite us being followed by multiple Microsoft security people, etc. We bought floating IPv4 addresses for our production services (one time fee) and checked them in multiple places. Used one not blacklisted by Outlook for mail server.

10:18 AM · Jan 7, 2022Twitter Web App

Replying to

and

The only solution that's available is getting an IP address they haven't banned and then making sure it doesn't get banned by having the reverse DNS set properly, making sure the A record always points back to the IP address from that name and DMARC with p=reject + DNSSEC.

Replying to

and

If you don't have reverse DNS set properly or have multiple IP addresses in the A record for the MX server, you can end up getting it blacklisted again. This stuff is incredibly stupid and it was a major annoyance for us before we settled on always using long-term floating IPs.